Linkerd Guide
Linkerd is a service mesh for Kubernetes. It makes running services easier and safer by giving you runtime debugging, observability, reliability, and security — all without requiring any changes to your code.
It includes these main features:
Next steps assume that you already have a running K8s cluster (1.19-1.21) and the OpenDAX v4 stack installed on it.
Following tools are required:
linkerd:
curl https://run.linkerd.io/install | sh
Control Plane is a set of services that run in a dedicated Kubernetes namespace (
linkerd by default).It includes the identity service, that acts as a TLS Certificate Authority to implement mTLS by proxy-to-proxy communication, the proxy injector, that injects proxies to meshed Pods when they are created, and the destination service for meshed Pods' discovery.
Run
linkerd check --pre to verify that your cluster is ready for installation.If the command above suggests an installation command with additional flags, proceed by running it; otherwise, use the following:
linkerd install | kubectl apply -f -
And verify that installation was successful:
linkerd check --verbose
--verbose flag is used here, so that you could determine the reason for the check process being stuck(in case it is)Also, you can verify the installation was correct directly by using
kubectl. To do that, check Control Plane Pods' statuses:kubectl get pods -n linkerd
If the installation was successful, you should see the following output:
NAME READY STATUS RESTARTS AGE
linkerd-destination-69466f9f96-c578r 4/4 Running 0 5m
linkerd-identity-847445f99d-t6fgk 2/2 Running 0 5m
linkerd-proxy-injector-58b844f4d6-xqcsw 2/2 Running 0 5m
Linkerd provides a full on-cluster metrics stack, including CLI tools, a web dashboard, and pre-configured Grafana dashboards.
This stack is installed as an extension into a separate Kubernetes namespace (
linkerd-viz by default).To install it, run the following command:
linkerd viz install | kubectl apply -f -
Wait for all Pods to become ready:
kubectl get pods -n linkerd-viz
If the installation was successful, you should see that all Pods are in
Ready state:NAME READY STATUS RESTARTS AGE
grafana-55cb88dcb4-wzz5h 2/2 Running 0 2m
metrics-api-569cd6f764-t5w6x 2/2 Running 0 2m
prometheus-566d749845-tbltk 2/2 Running 0 2m
tap-848f577786-hsqrg 2/2 Running 0 2m
tap-injector-5c4d5897f7-r46rl 2/2 Running 0 2m
web-5b7cb69f49-f7j9q 2/2 Running 0 2m
If they are not and even start to crash and restart, try to apply the following Linkerd's
ServerAuthorization CRD:cat <<EOF
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
name: default
namespace: linkerd-viz
spec:
client:
networks:
- cidr: 0.0.0.0/0
- cidr: ::/0
unauthenticated: true
server:
selector: {}
EOF
Finally, verify
linkerd-viz installation:linkerd viz check --verbose
After that you should be able to access the Linkerd dashboard:
linkerd viz dashboard
Adding Pods to the Service Mesh is done by adding
linkerd.io/inject annotation, that enables/disables proxy injection and that means an additional proxy container is added to the Pod upon creation.You can add it to the whole namespace:
kubectl get ns odax -oyaml | linkerd inject - | kubectl apply -f -
Or to a specific workload:
kubectl get deploy finex -oyaml | linkerd inject - | kubectl apply -f -
Or if you chose to enable it for all Pods in
odax namespace except realtime Deployment:kubectl get ns odax -oyaml | linkerd inject - | kubectl apply -f -
kubectl get deploy realtime -oyaml | linkerd uninject - | kubectl apply -f -
To verify that your Pods are successfully meshed, run the command:
linkerd viz edges -n odax po
And you should see output similar to the following one:
SRC DST SRC_NS DST_NS SECURED
prometheus-566d749845-dq84x admin-d766ccf9d-rm7gh linkerd-viz odax-master √
prometheus-566d749845-dq84x finex-668db88cb4-wwwhs linkerd-viz odax-master √
prometheus-566d749845-dq84x frontdex-7775f84ff5-27rm9 linkerd-viz odax-master √
prometheus-566d749845-dq84x gotrue-6b866f94dd-b89f4 linkerd-viz odax-master √
prometheus-566d749845-dq84x local-frontdex-6c7884968f-jkvmg linkerd-viz odax-master √
prometheus-566d749845-dq84x meta-785b97fcdd-4dzqt linkerd-viz odax-master √
prometheus-566d749845-dq84x opendax-kong-6d698894bb-txgzz linkerd-viz odax-master √
prometheus-566d749845-dq84x postgrest-6b9f659c79-5bp8h linkerd-viz odax-master √
prometheus-566d749845-dq84x realtime-9788fc8c5-4zfp9 linkerd-viz odax-master √
prometheus-566d749845-dq84x storage-0 linkerd-viz odax-master √
prometheus-566d749845-dq84x storybook-6b5d766c78-lpfbr linkerd-viz odax-master √
finex-668db88cb4-wwwhs influxdb-0-0 odax-master core Not Provided By Service Discovery
finex-668db88cb4-wwwhs influxdb-1-0 odax-master core Not Provided By Service Discovery
finex-668db88cb4-wwwhs influxdb-2-0 odax-master core Not Provided By Service Discovery
finex-668db88cb4-wwwhs postgresql-postgresql-0 odax-master core Not Provided By Service Discovery
frontdex-7775f84ff5-27rm9 postgresql-postgresql-0 odax-master core Not Provided By Service Discovery
gotrue-6b866f94dd-b89f4 postgresql-postgresql-0 odax-master core Not Provided By Service Discovery
local-frontdex-6c7884968f-jkvmg postgresql-postgresql-0 odax-master core Not Provided By Service Discovery
postgrest-6b9f659c79-5bp8h postgresql-postgresql-0 odax-master core Not Provided By Service Discovery
storage-0 postgresql-postgresql-0 odax-master core Not Provided By Service Discovery
opendax-kong-6d698894bb-txgzz finex-668db88cb4-wwwhs odax-master odax-master √
This output contains all caught meshed Pods' connections in the specified namespace (
odax in this case).If you see something similar to the above, then the installation and proxy injection were successful.
You can use more observability tools with
linkerd viz subcommand, or you can explore it with Web UI that can be port-forwarded to your host by running the above-mentioned command linkerd viz dashboard.